Content Security Policy: A Rising Step Towards CyberSecurity

LMS Content Security

October 28, 2017

One of the most popular idioms –“Every coin has two faces”, is also applicable for the bloom in technological development. As the technology is developed, keeping in mind the positive aspects, the other side is filthier too. Let’s say mobile is one of the wonderful inventions in the field of development, but misuse of this device is also done, as for example- missed calls, spam calls, internet usage on mobile phones damages the youngster’s mindset etc. In these type of situations, a security policy necessity comes into the role of action. Content Security Policy is the most accepted & efficient cyber-security phenomena against cross-site scripting (XSS), clickjacking and code injection etc. just to name a few vulnerabilities. Advantages of Content Protection are driven by two factors: the rise of computer-based tools for the creation and production of content, and high-speed systems which short-circuit the traditional publishing process by permitting us to share our work instantly with a global audience. The ultimate motive of having Content Security policy, therefore, is to assure that the integrity of content remains steady with the author’s original intention, and the file does not reveal sensitive data about the parent organization.

Why is Content Security Policy necessary?

Surfing online without getting tracked is a myth, most of the sites accept cookies and cache to analyze the user activity, to keep a track record and analytics- it is “important”. But, hackers and site exploiters victimize this for their own sake by breaching the privacy of users, stealing their passwords etc. To avoid these trespassing, Content Security Policy comes into the role of action. Content Security Policy (CSP) provides a standard protocol for site owners for a declaration of unique content which browsers should be allowed to load on the website- such as CSS, HTML, JavaScript, fonts, images, ActiveX, audio, video files, etc.

If you look at the statistical analysis, WhiteHat demonstrated that 86% of the tested websites had 1 to 56 serious vulnerabilities in 2013, and only 61% of the vulnerabilities could be resolved, but doing so required and the average of 193 days from first customer notification. Qihoo 360 demonstrated that 0.62 million of 1.6 million websites scanned in 2014 had serious security vulnerabilities. Among them, the cross-site scripting (XSS) attack is the most well-known form, which was ranked the fourth software error by the SANS Institute in 2011 and the third web application security risk by the Open Web Application Security Project in 2013.

A Question arises in Mind: How do exploiters breach the privacy on Web?

On the global scale, the Information Technology field is skyrocketing in the field of developing software, hardware, networking, cloud computing, programming etc. Everyone is fascinated with the budding of new technology, development, but, on the other hand, some are fascinated in exploiting these technologies for the sake of own interest, for money, for fun, for being cool etc.

By what means are they breaching the privacy is an important question? There are many modes of stealing and exploiting people’s privacy on the Web, out of which some are like, Cross-site scripting (XSS), clickjacking, phishing attack etc. In this article, the main discussion will be focussed on these practices.

Let’s Get Started.

  1. Cross Site Scripting: When are you vulnerable? The time when someone attacks you in your mental weakness state, you are vulnerable. The same thing happens on websites too, attackers inject JavaScript codes into the web document when your website is in the most vegetative state. In this type of attacks, malicious scripts are injected into the websites. XSS attacks happen when a web application is routed on with some malware codes, usually in the face of browser scripts, to an end-user for stealing info from the browser. The end user’s browser has no analysis pattern on which it can sense that the script came from a trusted source or not, blindly it will execute the script. Well, most of the times the scripts come from a trusted source, so browser thinks that same code came from a trusted source. Henceforth, it allows the malicious scripts to access the cookies, session tokens, caches, passwords etc. information.
  1. Clickjacking: Synonym- “UI redress attack”, nowadays it is in use like nothing else. On a personal note, never visit a spamming website, as they contain the malware when it’s being clicked. “KEYSTROKES” logger is one of the most famous freeware software which can be integrated into a website for doing a phishing attack. Once you click on the link, the site will track all the information about your browsing sessions with snapshots and keys used on the website. Suppose, you visited your banking web page and logged in to your account. If you are not tracked by any website then its fine, but if not, then your password and data’s are in the most vulnerable state. Clickjacking is also used to reroute the user from one page to another page, most likely owned by another application.
  1. Phishing attacks: “Phishing” is a word developed as a homophone of “Fishing”, which works on “Bait-Prey model”. The attacks are very much similar to clickjacking, in spite of doing it on a website, it is applied on the global scale by means of emails, messages, videos, social media, online payment gateways etc. Example: Phishing email can be used as a link to a website which is infected.

How Could I Write One?

  • MSDN Web Documents: Case documents with appropriate examples and policies
  • GitHub: Policy delivery, Integrations, Reporting’s and Content Security policies are mentioned.
  • Developers. Mozilla: Here, they give a complete protocol of directives and uses, along with implementations and client support info.
  • Chrome extension: Document targeted towards the extensions development
  • Chrome app: Documents targeted towards the application development.
  • Microsoft Edge: Documentation for Microsoft Edge content security.
  • Safari: The browser doesn’t like CSP. Browser Codes are present in the link
  • Keyloggers: Article explains about various methods to prevent keylogging attacks.
  • Clickjacking: OWSAP site provides a defense cheat sheet against clickjacking.
  • Phishing: Overview regarding how phishing attacks are processed and measures to prevent it.
  • Open Source: Hyperlink provides numerous open source freeware for content security.

Statistical Analysis of Content Security Policy

Analysis based on stats report of Content Security Policies:

  1. 0.1% (515584 of 371373051) websites are using Content Security Policy on entire web networks. Source: BuiltWith
  2. Shopping and Business Industries are the most dynamic users for CSP. Source: SimilarTech
  3. YouTube ranks on top in using Content Security Policy. Source: SimilarTech
  4. Geographically, Japan comes under the second ranking country after the US in using Content Security Policy worldwide. Source: SimilarTech
  5. The first known phishing attack against a retail bank was reported by The Banker in September 2003. Source: Wikipedia
  6. The year 2005 – 1,73, 063 attacks whereas by The year 2015 – 14,13,978 phishing attacks. Source: Wikipedia
  7. Most phishing attacked country worldwide: China. Source: APWG trends
  8. Most used ports for phishing attacks by the year 2012 are the port: 80, 443, and 21. Source: APWG trends
  9. TROJAN counts for 80% of the malware attacks by the year 2012. Source: APWG trends

Be Aware!

  1. Be Aware of what you share: Social media platform, now-a-day became like water to us – without of it we can’t survive. Facebook, Twitter, YouTube etc. platforms are now, a connecting link on the globe. But be aware of filling the profile information on these social media sites. Usually, people doing sign up on email account or bank logins puts mother maiden name as security questionnaire, Date of Birth as passwords- Casual mentality. But, be aware that these information’s can be retrieved by hackers from your social media accounts like a snap of a finger. So, it is important, not to share these confidential credentials publically.
  2. Be Aware of passwords stealing: As it is mentioned previously, people use their passwords as DOB, last phone number, Nicknames, Girlfriend name etc. in their password. For a noob, these passwords can be easily accessible from your profile information. So it’s a thumb rule for all user’s on the internet to use strong passwords for their accounts. Use some password generators to generate some random strong passwords.
  3. 2-step verification: In spite of having a strong password, you can’t trust anyone living nearby. So always prefers to have a login system privacy with 2-step verification mode.
  4. Be Aware of Wi-Fi Hotspots: In a public Wi-Fi hotspot, hackers are in seek of getting confidential credentials of a user. Public hotspots are mostly opened and do not require encryption for the data transfers, means any email passwords, bank account details etc. are in a vulnerable state.

In a summarised way, it is pretty much obvious now that Content Security Policies are not only helping a web user to be aware of the vulnerabilities but also it helps to tackle numerous means of exploitations and data steals. Content Security Policy is thus, a step towards improvisation of the Cyber Security.

If you are owner of an LMS, you must find difficulty in implementing security protocol. Read this blog – Data Security Management in LMS

[mk_contact_info title=”Contact Us” phone=”+91-7290 970 980″ email=”[email protected]”  company=”3E Software Solutions” skype=”Software3E” website=””]

You May Also Like…

Java 10- Features And Enhancement

Java 10- Features And Enhancement

Java 10 is out !!! As we, all know oracle has switched from a feature-driven release model to a time-based release...